On May 5, 2008, at 6:46 AM, Faramir wrote:
David Shaw escribió:
.....
If someone wants to sign your key, you then end up with:
KEY + UID + SELFSIG + SIG
So SELFSIG is you saying "I bind this KEY and UID together", and SIG
is the other person saying "Me too".
If you add another UID at this point, you have:
KEY + UID + SELFSIG + SIG + UID + SELFSIG
Now, note that the other person hasn't made any statement about
whether the second UID is valid. YOU have, but then, it's your key:
you can make any statement you like. It only becomes believable when
someone else adds their "me too".
I was reading again this message, and I'd like to know: is there any
point about signing a key _but not giving any trusted status_ ?
Absolutely. You signing a key means that you believe the key to
belong to who it claims to belong to. You are certifying the mapping
between person (or auto-signing robot, or...) and the key. Giving
trusted status to the key means that you trust that person/robot/etc
to sign other keys.
You signing a key makes that key "valid" in GPG.
You signing a key and assigning trust to it makes other keys *they*
sign (potentially) valid.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
